Subprocessors
Last updated: May 24, 2026
Every third-party service Plauditly uses to operate. For each: what they do, what data they see, where they process it, and the legal mechanism for any EU/UK→US transfer. Updated whenever we add or remove a provider; subscribers get 30 days' notice.
Current subprocessors
| Subprocessor | Purpose | Data | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase ↗ | Database, authentication, file storage | All account, project, testimonial, widget, and subscription data; auth sessions | US (us-east-1) | SCCs (Module 2) |
| Stripe ↗ | Payment processing, billing portal, webhooks | Subscription metadata, customer ID, billing email. We do not store payment cards. | US, Ireland | EU-US DPF (certified) |
| Vercel ↗ | Hosting, CDN, edge functions, Web Analytics | Page views (cookieless, no PII), application logs, env vars (encrypted at rest) | Global edge; primary US | EU-US DPF (certified) |
| Vercel AI Gateway ↗ | Route AI chatbot requests, observability | Chat message text (zero retention — not stored) | Global edge | Same as Vercel (EU-US DPF) |
| Anthropic ↗ | AI language model for support chatbot (Claude Haiku) | Chat message text + static system prompt (zero retention; not used for training) | US | EU-US DPF (certified) |
| Google ↗ | OAuth login (optional sign-in method) | Email and name from OAuth response when you choose Sign in with Google | Global | EU-US DPF (certified) |
| Resend ↗ | Transactional + marketing email delivery | Recipient email + email body (sign-in links, billing receipts, newsletter) | US | SCCs |
Click any subprocessor name above to open their privacy policy in a new tab.
Transfer mechanism details
EU-US Data Privacy Framework (DPF) — used where the recipient appears on the active DPF participant list. Stripe, Vercel, Anthropic, and Google are currently certified under DPF and its UK Extension. The EU General Court upheld the DPF in September 2025; transfers under it are valid as of this policy's last-updated date.
Standard Contractual Clauses (SCCs) — European Commission Decision 2021/914, Module 2 (controller-to-processor) or Module 3 (processor-to-processor), as appropriate. Used for Supabase and Resend, which are not currently DPF-certified. Supplementary measures: TLS 1.2+ in transit, AES-256 at rest, role-restricted access, and transparency about US legal access (we will challenge or notify of any government request to the extent legally permitted).
UK transfers use the UK International Data Transfer Addendum to the SCCs. Swiss transfers rely on the Swiss-US DPF where applicable, with SCCs as fallback.
Sub-sub-processors
Sub-sub-processors used by each provider (e.g. AWS, GCP, Cloudflare for the underlying infrastructure) are covered under those providers' own DPAs and listed in their respective subprocessor pages. We don't restate them here because they change without us being notified.
Adding or removing subprocessors
We notify active subscribers via email at least 30 days before adding a new subprocessor that will process personal data. To object on reasonable grounds, reply to that email; we'll either resolve the concern or let you terminate the affected service without penalty.
To subscribe to subprocessor change notifications without an active paid plan, email legal@plauditly.app with subject "sub-processor notifications".
Data Processing Agreement
Our standard DPA, written to satisfy GDPR Article 28, is published at /legal/dpa. You can execute it by emailing acceptance from a corporate address; see that page for instructions.